Revision as of 11:07, 16 March 2014

The Project is currently under the process of porting from Perl to Python. The next version will be released soon !

OWASP SQLiX Project

OWASP SQLiX is...

Introduction

SQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).

If you are a developer interested in remediating or avoiding the kinds of SQL Injection vulnerabilities this tool can find, check out the OWASP SQL Injection Prevention Cheat Sheet.

Description

SQLiX is a SQL Injection scanner which attempts to fill the gap between what commercial software available on the market can do and what can really be done to detect and identify SQL injection.

Current injection methods used by commercial web assessment software are based on error generation or statement injections.

error generation:

The error generation method is quite simple and is based on meta characters like single quotes or double quotes.
By injecting these characters in the original SQL request, you generate a syntax error which could result in an SQL error message displayed in the HTTP reply.
The main issue with this technique is the fact that it's only based on pattern matching.
There is no way to handle multiple languages or complex behaviors when the error message is filtered by the server-side scripts.

statement injection:

The second method used is statement injection.
Let's look at an example:

If the request (1) provides the same result as request (0) and request (2) doesn't, the scanner will conclude that SQL injection is possible.
This method works fine, but is very limited by the syntax of the original request. If the original request contains parentheses, store procedures or function calls, this method will rarely work.
Worse, if the variable is used by multiple SQL requests, all with different syntaxes, there is no automatic way to make them all work simultaneously.

Frequently you will see more advanced scanners like SQLBrute from www.justinclarke.com trying to reverse engineer the original SQL syntax by injecting multiple requests with different sets of parentheses or comas.
This method is a little more time consuming but does provide better results (for free), especially when error messages are not displayed.

Another global issue concerning SQL injection is the fact that pen testers frequently conclude that a given SQL injection vulnerability can't be exploited.
By concluding this incorrect statement they are inviting their customers to not patch the vulnerability.

Licensing

OWASP SQLiX is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is SQLiX?

OWASP SQLiX provides:

SQLiX uses multiple techniques to determine if the current server-side script is vulnerable to SQL Injection

conditional errors injection

blind injection based on integers, strings or statements

MS-SQL verbose error messages ("taggy" method)

SQLiX using UDF (User defined functions) or function calls thus no need to reverse engineer the original SQL syntax

SQLix is able to identify the database version and gather sensitive information for the following SQL servers: MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL.

The comparison module of SQLiX is able to deal with complex HTML contents even when they include dynamic ads

SQLiX contains an exploit module to demonstrate how a hacker could exploit the found SQL injection to gather sensitive information

-url [URL] Scan a given URL.
Example: -url="http://target.com/index.php?id=1"
--post_content [CONTENT] Add a content to the current [URL]
and change the HTTP method to POST
-file [FILE_NAME] Scan a list of URI provided via a flat file.
Example: -file="./crawling"
-crawl [ROOT_URL] Scan a web site from the given root URL.
Example: -crawl="http://target.com/"

Injection vectors:

-referer Use HTTP referer as a potential injection vector.
-agent Use HTTP User agent as a potential injection vector.
-cookie [COOKIE] Use the cookie as a potential injection vector.
Cookie value has to be specified and the injection area
tagged as "--INJECT_HERE--".
Example: -cookie="userID=--INJECT_HERE--"

-exploit Exploit the found injection to extract information.
by default the version of the database will be retrieved
-function [function] Used with exploit to retrieve a given function value.
Example: -function="system_user"
Example: -function="(select password from user_table)"
-union Analyse target for potential UNION attack [MS-SQL only].

MS-SQL System command injection:

-cmd [COMMAND] System command to be executed.
Example: -cmd="dir c:\\"
-login [LOGIN] MS-SQL login to use if known.
-password [PASSWORD] MS-SQL password to use if known.

Volunteers

As of XXX, the priorities are:

xxx

xxx

xxx

We hope you find the OWASP SQLiX Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP SQLiX Project mailing list or view the archives, please visit the subscription page.